Exchange Log

Month: October 2016

Post navigation

OverviewOver the span of the last 3 weeks, I’ve encountered five different customers experiencing this issue. Through my own lab testing and working with Microsoft Premier Support, we were able to diagnose the issue as being related to a recent Windows Update that was installed on the customers’ Windows Server 2012 Domain Controllers that introduced authentication issues.

SymptomsOutlook users in Exchange environments experience repeated authentication prompts when attempting to access their mailbox. OWA and ActiveSync were not affected by this “login prompt loop.” The issue began presenting itself after Windows Updates were applied to the Domain Controllers in the environment. Another symptom experienced in some customer environments were authentication issues when accessing Terminal Services/Remote Desktop Services.

TroubleshootingIn testing, I actually found the authentication loop began when the Outlook client attempted to authenticate to the AutoDiscover service. From the client machine, I decided to test the authentication process by using Internet Explorer to browse to https://AutoDiscover.Contoso.com/AutoDiscover/AutoDiscover.xml. After initially authenticating, I was presented with repeated login prompts; the same symptoms seen in the Outlook clients. At one point I was curious to see if the issue was related to Windows/Kerberos authentication, so I decided to disable all authentication methods on the AutoDiscover virtual directory except for Basic. After doing this, I was able to successfully authenticate to AutoDiscover. Since this issue was affecting both the AutoDiscover and RPC virtual directories, it made me think it wasn’t necessarily Exchange that was broken, but AD authentication itself.

We first looked at recent Windows Updates on the Exchange servers themselves, but saw nothing unusual. Even as a precautionary measure we removed the Windows Updates that were recently installed on the Exchange Servers the previous day, but the issue remained. We then noticed some recently installed updates on the Domain Controllers which were related to authentication. After removing all updates installed the previous day, the issue was resolved and the authentication loops were gone. We then spent time (via process of elimination) trying to determine which update was the culprit.

SolutionSteps to reproduce:-Have a 2012 non-R2 DC-Have KB3175024 installed but DO NOT have KB3177108 (released back in August) installed.

Obviously one possible resolution in my case is to install KB3177108 (which immediately resolved my RDP and Exchange login issues). However, I was curious as to why KB3177108 was not installed on multiple customers’ environments. After working with Microsoft, it appears that it was either because there was an issue initially installing KB3177108, or some customers chose to not install it for possible incompatibility reasons.

Ultimately, the reason we encountered these issues was because the KB3175024 update builds on dependencies of KB3177108, but will install anyways (in error) if it is not present; resulting in the issue above. In short, KB3175024 makes changes that assumes KB3177108 is present. It installs even if KB3177108 is not present and causes authentication issues.

Tools

I’m happy to announce a significant update to our scalability guidance for Exchange 2016. Effective immediately, we are increasing our maximum recommended memory for deployments of Exchange 2016 from 96 GB to 192 GB. This change is now reflected within our Exchange 2016 Sizing Guidance, as well as the latest release of the Exchange Server...

Over the last few months, we ran a TAP Program where our customers tested the batch migration process to move their public folders (both online and on-premises) to Office 365 Groups. We want to thank all of the customers who helped us out with the testing by sharing their experiences with us. The TAP program...